Add a fuzz target to test DNG image parsing in dng_sdk. am: 0c2c0ca07a am: 49be9325f2 am: f4e068b00e

Original change: https://android-review.googlesource.com/c/platform/external/dng_sdk/+/1487679

Change-Id: If8b5c82874c353315bcf6b8a9147141f00777fc5

5 files changed, 109 insertions, 0 deletions

diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..5bf44fa
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,26 @@
+cc_fuzz {
+    name: "dng_parser_fuzzer",
+    host_supported: true,
+    srcs: [
+        "dng_parser_fuzzer.cpp",
+    ],
+    cflags: [
+        "-Wno-unused-parameter",
+        "-fexceptions",
+    ],
+    static_libs: [
+        "libdng_sdk",
+        "libjpeg",
+        "liblog",
+        "libz",
+    ],
+    target: {
+        darwin: {
+            enabled: false,
+        },
+    },
+    corpus: [
+        "seeds/CVE_2020_9589/original.dng",
+        "seeds/CVE_2020_9589/poc.dng",
+    ],
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..edc7ef2
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,47 @@
+# Fuzzing DNG SDK
+
+This fuzzer is intented to do a varian analysis of the issue reported
+in b/156261521.
+
+Here is a list of some CVEs previously discovered in DNG SDK:
+
+* CVE-2020-9589
+* CVE-2020-9590
+* CVE-2020-9620
+* CVE-2020-9621
+* CVE-2020-9622
+* CVE-2020-9623
+* CVE-2020-9624
+* CVE-2020-9625
+* CVE-2020-9626
+* CVE-2020-9627
+* CVE-2020-9628
+* CVE-2020-9629
+
+## Building & running the fuzz target: Android device
+
+It is recommended to set rss limit to higher values (such as 4096) when running
+the fuzzer to avoid frequent OOM libFuzzer crashes.
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_arm64-eng
+$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer
+$ adb sync data
+$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit=4096 \
+$ /data/fuzz/arm64/dng_parser_fuzzer/corpus
+```
+
+## Building & running the fuzz target: Host
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_x86_64-eng
+$ SANITIZE_HOST=address make dng_parser_fuzzer
+$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit_mb=4096 \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/
+```
+
diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp
new file mode 100644
index 0000000..84db0f3
--- /dev/null
+++ b/fuzzer/dng_parser_fuzzer.cpp
@@ -0,0 +1,36 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "dng_exceptions.h"
+#include "dng_host.h"
+#include "dng_info.h"
+#include "dng_memory_stream.h"
+#include "dng_negative.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  dng_host host;
+  dng_memory_stream stream(host.Allocator());
+
+  stream.Put(data, size);
+  stream.SetReadPosition(0);
+
+  std::unique_ptr<dng_negative> negative(host.Make_dng_negative());
+
+  try {
+    dng_info info;
+    info.Parse(host, stream);
+    info.PostParse(host);
+
+    if (info.IsValidDNG()) {
+      negative->Parse(host, stream, info);
+      negative->PostParse(host, stream, info);
+      negative->ReadStage1Image(host, stream, info);
+    }
+  } catch (dng_exception &e) {
+    // dng_sdk throws C++ exceptions on errors
+    // catch them here to prevent libFuzzer from crashing.
+  }
+
+  return 0;
+}
diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng
new file mode 100755
index 0000000..a30ac76
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/original.dng
diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng
new file mode 100755
index 0000000..b838844
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/poc.dng